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Abstract 

Confluence is a fundamental property of Constraint Handling Rules (CHR) since, as in 
other rewriting formalisms, it guarantees that the computations are not dépendent on 
rule application order, and also because it implies the logical consistency of the program 
déclarative view. In this paper we are concerned with proving the confluence of non- 
tcrminating CHR programs. For this purpose, we dérive from van Oostrom's decreasing 
diagrams method a novel criterion on CHR critical pairs that generalizes ail preexisting 
criteria.We subsequently improve on a resuit on the modularity of CHR confluence, which 
permits modular combinations of possibly non-terminating confluent programs, without 
loss of confluence. 
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1 Introduction 



Constraint Handling Rules (CHR) is a committed-choice constraint logic program- 



ming language, introduced by |Frùhwirth ( 1998 ) for the easy development of con- 



straint solvers. It has matured into a general-purpose concurrent programming lan- 
guage. Operationally, a CHR program consists of a set of guarded rules that rewrite 
multisets of constrained atoms. Declaratively, a CHR program can be viewed as a 
set of logical implications executed on a déduction principle. 

Confluence is a basic property of rewriting Systems. It refers to the fact that 
any two finite computations starting from a common state can be prolonged so as 
to eventually meet in a common state again. Confluence is an important property 
for any rule-based language, because it is désirable for computations to not be dé- 
pendent on a particular rule application order. In the particular case of CHR, this 



property is even more désirable, as it guarantees the correctness of a program ( Ab 



dennadher et al. 1999 Haemmerlé et al. 2011 1: any program confluent has a consis 



tent logical reading. Confluence of a CHR program is also a fundamental prerequi- 



site for logical completeness results (Abdennadher et al. 1999 Haemmerlé 2011a I 



* The research leading to thèse results has received funding from the Programme for Attracting 
Talent / young PHD of the MONTEGANCEDO Campus of International Excellence (PICD), 
the Madrid Régional Government under the CM project P2009/TIC/1465 (PROMETIDOS), 
and the Spanish Ministry of Science under the MEC project TIN-2008-05624 (DOVES). 
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makes possible program parallclization (Frùhwirth 2005 Meister 2006), and may 



simplify program équivalence analyses ( Abdennadher and Frùhwirth 1999 Hacm 



merle 2011b). 



Following the pioneering research of Abdennadher et al. (19961, most existing 



work dealing with the confluence of CHR limits itself to terminating programs (see 



for instance the works by Abdennadher ( 1997) and Duck et al. (2007)). Nonetheless 



proving confluence without global termination assumptions is still a worthwhile 
objective. 

From a theoretical point of view, this is an interesting topic, because, as illus- 
trated by the following example typical CHR programs fail to terminate on the level 
of abstract semantics, even if they do terminate on more concrète levels. Indeed, 
number of analytical results for the language rest on the notion of confluence, but 
only when programs are considered with respect to abstract semantics. For instance, 
in the current state of knowledge, even a resuit as important as the guarantee of 
correction by confluence only holds when programs are considered with respect to 
the most gênerai opération semantics for CHR, namely the very abstract semantics. 

Example 1 {Partial order constraint) 

Let V\ be the classic CHR introductory example, namely the constraint solver for 
partial order. This consists of the following four rules, which define the meaning of 
the user-defined symbol < using the built-in equality constraint = : 



duplicate 
reflexivity 
antisymmetry 
transitivity 



x < y\x < y 
x < x T 
x < y, y < x < 
x < y, y < z = 



> T 

> x = y 

x < z 



The duplicate rule implements so-called duplicate removal. In other words, it 
states that if two copies of the same user-defined atom are présent, then one of 
them can be removed. The reflexivity and transitivity rules respectively state that 
any atom of the form x < x can be removed, and that two atoms x < y and x < y 
can be substituted with the built-in constraint x = y. Finally, the transitivity rule 
is a propagation rule. It states that if x < y and y < z are présent, then the atom 
x < z may be added. 

It is well know that this program, like any other program using propagation rules, 
faces the so-called trivial non-termination problem when considered with respect to 
the very abstract semantics. Indeed, for thèse semantics, a propagation rule applies 
to any state it produces, leading to trivial loops. In order to solve this problem, 



Abdennadher (1997) proposed a token-based semantics in which propagation rules 



may be applicd only once to the same combination of atoms. Nonetheless, such a 
proposai does not solve ail the problems of termination. Indeed the transitivity rule 
may loop on queries containing a cycle in a chain of inequalities when considered 
against Abdennadher 's semantics. Considcr, for instance, the query x < y, y < x. 

In fact, in order for V\ to be terminating, the rules of reflexivity, antisymmetry, 
and transitivity must have priority over the transitivity rule. This behaviour can 
be achieved by considering concrète semantics, such as the refined semantics of 
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Duck et al. ( 2005 ) . Thèse semantics reduce the non-determinism of the CHR exé- 



cution model by applying the rules in textual order. 

In exchange for gaining termination, the most concrète semantics lose a numbcr 



of analytical results. For instance, as explained by Frùhwirth (2009), although any 



CHR program can be run in parallel in abstract semantics, one can obtain incorrect 
results for programs written with the refined semantics in mind. Indeed, if the 
rcsult of a program relies on a particular rule application order, parallel exécution 
will garble this order, leading to unexpected results. Interestingly, confluence on 
an abstract (but possibly non-terminating) level may corne to the rescue of the 
most concrète semantics: If a program is confluent on a semantic level where the 
rule application order is not specified, then the resuit will not be dépendent on 
the particular application order. Similar considérations have been discussed for 



équivalences of CHR programs (Haemmerlé 2011b). 



From a more practical point of view, proving confluence without the assumption 
of termination is important, because it may be désirable to prove the confluence 
of a program for which termination cannot be inferred. Indeed, there exist very 
simple programs, such as the Collatz function, for which termination is only a con- 



jecture (Guy 2004|. Furthermore, since CHR is now a general-purpose language, 



analytical tools for the language must handle programs that do not terminate on any 
semantic level — for instance, interpreters for a Turing-complete language (Sneyers 



et al. 2009), or typical concurrent programs (see the numerous examples of con- 



current Systems given by Milner (19991). We have also recently demonstrated that 
non-terminating exécution models for CHR yield élégant frameworks for program- 



ming with coinductive reasoning (Haemmerlé 2011a). As a motivating example for 



the class of intrinsically non-terminating programs, we will use the following solu- 
tion for the séminal dining philosophers problem. 

Example 2 {Dining philosophers) 

Consider the following CHR program V 2 that implements a solution to the dining 
philosophers problem extended to count the number of times a philosopher eats: 



eat @ t{x,y,i),f{x),î{y) 
thk @ e(x,y,i) 



e(x, y,i + l) 



The atom f(x) represents the fork x, the atom e(x,y, i) (resp. t(x, y, i)) represents 
an eating (thinking) philosopher seated between forks x and y, who has already 
eaten i times. On the one hand, the rule eat, states that if a thinking philosopher 
is seated between two forks lying on the table, then he may start eating once he 
has picked up both forks. On the other hand, the rule thk states that a philosopher 
may stop eating if he puts down the forks he has been using. The initial state 
corresponding to n dining philosophers seated around a table can be encoded by 
the set of atoms f(l), t(l, 2, 0), f(2), t(2, 3, 0), • • • î(n),t(n, 1, 0). 

Despite the fact that this program is intrinsically non-terminating, we may be 
interested in its confluence, for example, so that we may make use of one of the 
previously mentioned applications (e.g. confluence simplifies observational équiva- 



lence (Haemmerlé 2011b)). Confluence of V2 may also simplify the proofs of funda- 
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mental propcrtics of concurrent Systems, such as, for instance, the absence of dead- 
lock: Starting from the initial state, one can easily construct a dérivation where the 
î th philosopher (i 6 1, . . . , n) has eaten an arbitrary number of times. Hence if V2 is 
confluent, we can then infcr that it is possible to extend any finite dérivation such 
that the i th philosopher eats strictly more, i.e. no dérivation leads to a deadlock. 

To the best of our knowledge, the only existing principle for proving confluence of 



non-terminating programs is the so-called strong confluence critcrion (Haemmerlé 



and Fages 2007 Raiser and Tacchella 2007). Howevcr this criterion appears to be too 



weak to apply to common CHR programs, such as Examples [î] and [2j In this paper, 
we are concerned with cxtcnding CHR confluence theory to be able to capture 
a large class of possibly non-terminating programs. For this purpose we dérive 
from the so-called decreasing diagrams technique a novel criterion that generalizes 
ail existing confluence criteria for CHR. The decreasing diagrams technique is a 



method developed by van Oostrom (1994) which subsumes ail sufficient conditions 



for confluence. Applying this method requires that ail local rewrite peaks (i.e. points 
where the rewriting relation diverges because of non-determinism) can be completed 
into so-called decreasing diagrams. 

The présent paper présents two main contributions. In Sect. |4j we présent a 
particular instantiation of the decreasing diagrams technique to CHR, and show 
that in the context of this particular instantiation, the vérification of decreasing- 
ness can be restricted to the standard notion of critical pairs. Then in Sect. [5] wc 



extend the so-called modularity of confluence ( Frùhwirth 2009 ) so as to be able to 
combine programs which have independently been proven confluent, without losing 
confluence. 



2 Preliminaries on abstract confluence 

In this section, we gather some required notations, définitions, and results on the 



confluence of abstract rewriting Systems. Terese s compcndium (20031 can be re- 
ferred to for a more detailed présentation. 

A rewrite relation (or rewrite for short) is a binary relation on a set of objects E. 
For any rewrite the symbol 4— will dénote its converse, — > = its reflexive closure, 
— > + its transitive closure, and — » its transitive-reflexive closure. We will use — > a ■— >p 
to dénote the left-composition of ail rewrites — > a and — >p. A family of rewrites is a 
set (->«)(,£/ of rewrites indexed by a set I of labels. For such a family and any set 
K, — will dénote the union U Q e(A'n/) (~ 

A réduction is a finite séquence of rewriting steps of the form (eo — f B i e i -^a 2 
•■■ -^> Qn e n ). Such a réduction would be abreviated as eo ^->a e n with â = 
ai, a2, . . . , a n when the intermediary states ei, . . . , e„_i are not relevant. A peak 
is a pair of réductions ei <—s e e r from a common élément e. A local peak 
is a peak formed by two one-step réductions. A valley is a pair of réductions 
e i e ' ^ — M e r ending in a common élément e'. A peak e; < — „ e ~~^â' e r 

is joinable by • if it is true that e; • e r . 
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Fig. 1. Confluence Fig. 2. Local Confluence Fig. 3. Strong confluence 



A rewrite — > is terminating if there is no infinité séquence of the form eo — > e\ — > 

ê2 . . . Furthermore, we will say that —s- is confluent if (« ») Ç (-»•«-) holds, locally 

confluent if (<; »•) Ç (-»•«-) holds, and strongly confluen^ if (< >) Ç (—>•=■•<— =) 

holds. Figures [ÎJ [2] and |3]graphically represent thèse définitions. Following standard 
diagrammatic notation, solid edges stand for universally quantified rewrites, while 
dashed edges represent existentially quantified rewrites. 



By the séminal lemma of Newman (1942 ) , we know that a terminating and locally 



confluent rewrite is confluent. Another famous resuit due to Huet (19801 ensures 
that strong confluence implies confluence. 



We now présent a slight variation due to Hirokawa and Middeldorp (20101 of 
the so-called decreasing diagrams technique, which is more suitable for our pur- 



poses. The interest of the decreasing diagrams method (van Oostrom 19941 is that 



it reduces problems of gênerai confluence to problems of local confluence. In ex- 
change, the method requires the confluence diagrams (i.e. the way peaks close) 
to be decreasing with respect to a labeling provided with a wellfounded preorder. 
The method is complète in the sensé that any countable confluence rewrite can be 
equipped with such a labeling. But because confluence is an undecidablc property, 
finding such labeling may be difficult. 

In the rest of this paper, we will say that a preorder is wellfounded, if the strict 
preorder >- associated with >p (i.e. a >- (3 iff a f3 but not [3 fc= a) is a terminating 
relation. Let (—ï a )aei be a family of rewrites and ^ be a wellfounded preorder on 
/. A local peak e; -s— a e —ïp e r (a, /3 G I) is decreasing with respect to )p if the 
following holds: 



ei 



>r{ a } 



where for any set K of labels, stands for {7 e / | 3S e K.S )p 7} and YK for 
{7 G / | 3<5 G K.ô y 7}. A family (—> a ) a ei of rewrites is (locally) decreasing if ail 
local peaks of the form u ^— a ■ — >p v (a, (3 G I) are decreasing with respect to a 
common wellfounded preorder on I. A rewrite is (locally) decreasing if it is the union 
of some decreasing families of rewrites. Property (*) is graphically represented in 
Figure [4] 



■Y{/3} 



(*) 



1 For the sake of simplicity, we use a définition weaker than the one of |Huet (198Ô] |. It is worth 
noting, that the counterexamples given in introduction stay relevant for the gênerai définition. 
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Fig. 4. Local decreasingness 



Theorem 3 {Decreasing Diagram (van Oostrom 1994)) 

A countable rewrite is confluent if and only if it is locally decreasing. 



We recall now some other state-of-the-art results which will be used later. 



Lemma 4 ( Terese 2003) 



(i) For ail rewrites -> 2 if ■ Q (^2 • then • -» 2 ) Ç (^> 2 ■ 
(ii) For ail rewrites — >\— >2 s. t. — >i Ç —> 2 Q -^2 is confluent iff — >i is confluent. 



3 Preliminaries on Constraint Handling Rules 

In this section, we recall the syntax and the semantics of CHR. Friihwirth's book 
(2009) can be referred to for a more gênerai overview of the language. 



3. 1 Syntax 

The formalization of CHR assumes a language of (built-in) constraints containing 
equality over some theory C, and defines (user-defined) atoms using a différent set of 
predicate symbols. In the following, 7Z will dénote an arbitrary set of identifiers. By 
a slight abuse of notation, we allow confusion of conjunctions and multiset unions, 
omit braces around multisets, and use the comma for multiset union. We use fv(<f)) 
to dénote the set of free variables of a formula 4>. The notation 3.^,0 dénotes the 
existential closure of <f> with the exception of free variables of ip. 

A (CHR) program is a finite set of eponymous rules of the form: 

(Y @K\H G | B;C) 

where K (the kept head) , El (the removed head) , and B (the user body) are multisets 
of atoms, G (the guard) and C (the built-in body) are conjunctions of constraints 
and, r G 1Z (the rule name) is an identifier assumed unique in the program. Rules 
in which both heads are empty are prohibited. An empty guard T (resp. an empty 
kept head) can be omitted with the symbol | (resp. with the symbol \). Rules are 
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divided into two classes: simplification rule^j if the removed head is non-empty and 
propagation rules otherwise. Propagation rules can be written using the alternative 
syntax: 

(Y @ K => G | B; C) 



3.2 Operational semantics 

In this section, we recall the equivalence-based operational semantics uj e of Raiser| 



et al. (2009[ ). It is équivalent to the very abstract semantics oj va of Frùhwirth (19981 



which is the most gênerai operational semantics of CHR. We prefer the former be- 
cause it includes an rigorous notion of équivalence, which is an essential component 
of confluence analysis. 

A ( CHR) state is a tuple (C; E; x), where C (the user store) is a multiset of atoms, 
E (the built-in store) is a conjunction of constraints, and x (the global variables) 
is a finite set of variables. Unsurprisingly, the local variables of a state are those 
variables of the state which are not global. When no confusion can occur, we will 
syntactically merge user and built-in stores. We may futhermore omit the global 
variables component when states have no local variables. In the following, we use S 
to dénote the set of states. Following |Raiser et al.[ we will always implicitly considcr 
states modulo a structural équivalence. Formally, this state équivalence is the least 
équivalence relation = over states satisfying the following rules: 

. (E;C;i> = (E;D;5) if C 1= 3. (E>ï) C o 3 <m B 

. (E;_L;â>) = (F;l_;y) 

• (A, c; C, c—d; x) = (A, d\ C, c=d; x) 

• (A; C; x) = (A; C; {y} U x) if y £ fv(A, C). 

Once states are considered modulo équivalence, the opération semantics of CHR 
can be expressed by a single rule. Formally the operational semantes of a program 
V is given by the least relation on states satisfying the rule: 

(r @ K\H <s=^> G|B; C) e Vp lv(r) n fv(E, D, x) = 
(K,H,E;G,D;x) A (K, B, E; G, C, D; x) 

where p is a renaming. A program V is confluent (resp. terminating) if —ï is con- 
fluent (resp. terminating). 

Bcforc going further, we recall an important property of CHR semantics. This 
property, monotonicity, means that if a transition is possible in a state, then the 
same transition is possible in any larger state. To help reduce the level of verbosity 



we introduce the notion of the quantified conjunction of states (Haemmerlé and 



Fages 2007). This operator allows the composition of states with disjoint local vari- 



ables while quantifying some of their global variables (i.e. changing global variables 



2 Unlike standard présentations, our définition does not distinguish between simplification rules 
form the so-called simpagation rules. 
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into local ones). Formally, the quantifiée! conjunction is a binary operator on states 
parametrized by a set of variables z satisfying: 

(E; C; x) © 2 (F; D; y) = (E, F; C, D; (xy) \ z) if (fv(E, C) n fv(F, D)) C (x n y) 

Note the side condition is not restrictive, as local variables can always be renamed 
using the implicit statc équivalence. 

Proposition 5 (Monotonicity of CHR) 

Let V be a CHR program, S, S%, S2 be CHR states, and x be a set of variables. 
If Si ■£> S 2 , then Si® s S^ S 2 ©j S 



3.3 Déclarative semantics 

Owing to its origins in the tradition of CLP, the CHR language features déclarative 
semantics through direct interprestation in first-order logic. Formally, the logical 
reading of a rule of the form: 

K\H <^ G | B; C 

is the guarded équivalence: 

V((KAG) (Bh3. (p) (GaCA1))) 

The logical reading of a program V within a theory C is the conjunction of the 
logical readings of its rules with the constraint theory C. It is denoted by CV. 

Operational semantics is sound and complète with respect to this déclarative 



semantics (Frùhwirth 1998 Abdennadher et al. 1999). Furthermore, any program 



confluent with respect to w e has a consistent logical reading (Abdennadher et al 



1999 Haemmerlé et al. 2011) 



4 Diagrammatic confluence for Constraint Handling Rules 

In this section, we are concerned with proving confluence of a large class of CHR 
programs. Indeed, as explained in the introduction, existing criteria are not suf- 
ficiently powerful to infer confluence of common non-terminating programs. (See 



Examples 13 and 14 for concrète examples). To avoid this limitation, we will dérive 
from the decreasing diagrams technique a novel csriterion on CHR critical pairs 
that generalizes both local and strong confluence criteria. An analogue criterion 



has been developed for linear Term Rewriting Systems (TRS) ( Jouannaud and van 



Oostrom 2009). 



4-1 Labels for Constraint Handling Rules 

In order to apply the decreasing diagram technique to CHR, we will need first to 
label CHR transitions. In this work, we will use two labelings proposed by |van| 
Oostrom (2008| ) for TRS. The first one is the so-called rule-labeling. It consists of 



labeling each transition a — > b with the name of the applied rule. This labeling 
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is idéal for capturing strong confluence- like properties for linear TRS. Within the 
proof of our main resuit, we will also use the so-called self-labeling which consists 
of labeling each transition a — > b with its source a. This second labeling captures 
the confluence of terminating rewrites. 

In practice, we will assume that the set 7Z of rule identifiers is defined as a disjoint 
union TZi l±) 7Z C . For a given program V, we dénote by V 1 (resp. V e ) the set of rules 
form V built with TZi (resp. TZ C ). We call V % the inductive part of V, because we will 
subsequently assume that V % is terminating, while V e will be called coinductive, as 
it will be typically non-terminating. 

Définition 6 (Rule-labeling) 

The rule-labeling of a CHR program V is the family of rewrites {-^r)reR indexed 
by rule identifiers, where -^> r = -^>. A preorder !>= on rule identifiers is admissible, 
if any inductive rule identifier is strictly smaller than any coinductive one (i.e. for 
any rj G TZi and any r c G 7Z C , r c y r.i holds). 



4-2 Critical peaks 

In TRS, the basic techniques used to prove confluence consist of showing various 
confluence criteria on a finite set of spécial cases, called critical pairs. Critical pairs 
are generated by a superposition algorithm, in which one attempts to capture the 
most gênerai way the left-hand sides of the two rules of the System may overlap. 
The notion of critical pairs has been successfully adapted to CHR by | Abdennadher 



et al. (1996). Here, we introduce a slight extension of the notion that takes into 



account the rule-labeling we have just defined. 
Définition 7 (Critical peak) 

Let us assume that r\ and r 2 are CHR rules renamed apart: 
(ri @Ki\Hi ^ Gi | Bi;Ci) G Vi (r 2 @ K 2 \H 2 G 2 | B 2 ;C 2 ) G T 2 

A critical ancestor ( state ) S c for the rules r\ and r 2 is a state of the form: 

S c = (Mf,E^,M£;~B;x) 
satisfying the following properties: 

• (Ki,Hi)=(Hf ,Hf), (K 2 ,H 2 )=(H^,H9), Hf 1 ^ 0, and H 2 ^ 0; 

• x\ = fv(Ki, Hi), x~2 — fv(K 2 , H 2 ) and x = x~\ U af 2 ; 

• D = (H?=1Ç, Gi, G 2 ) and 3D is C-satisfiable; 

• ET? % Ki or % K 2 . 

Then the following tuple is called a critical peak between r\ and r 2 at S^: 

(K^B^H^D^ijx) 4^ ri S c A,, (K 2 ,B 2 ,Hf ;D,C 2 ;x) 

A critical peak between a program V and a program Q is a critical peak between a 
rule of V and a rule of Q. A critical peak of a program V is a critical peak between 
V and itself. A critical peak is inductive if it involves only inductive rules (i.e. a 
critical peak of V 1 ), or coinductive if it involves at least one coinductive rule (i.e. a 
critical peak between V e and V). 
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Example 8 

Consider the solver partial order Vi, given in Example [T] The following ciritial peak 
stems from overlapping the heads of the rules antisymmetry and transitivity: 

(x = y) i^-anu. (x < y, y < x) ^> trans . (x < y, y < x, x < x) 



4-3 Rule-decreasingness 

We now corne to our main resuit, showing that the study of decreasingness with 
respect to the rule-labeling can be restricted to critical peaks without loss of gen- 
crality. 

Définition 9 [Critical rule-decreasingness) 

A program V is (critically) rule-decreasing w.r.t. an admissible preorder )p if: 

• the inductive part of V is terminating, 

■pi pi 

• ail inductive critical peaks of V are joinable by — » ■ « — , and 

• ail coinducitve critical peaks oîV are decreasing w.r.t. )p. 

A program is rule-decreasing if it is rule-decreasing with respect to some admis- 
sible preorder. A rule-decreasing program is strongly rule-decreasing if it is purely 
coinductive (i.e. without inductive rules). 

Theorem 10 

Rule-decreasing programs are confluent. 
Proof 

Let us assume that V is a rule-decreasing program w.r.t. a given preorder y-n- Now 
let (-^■a)a£(£un a )] the family of rewrites indexed by rule or state, be defined as 

p J T " > n({a} x £) if a G S (self-labeling on inductive part) 

1 { ° } > if a G 1Z C (rule-labeling on coinductive part) 

Let >p be the union of , and {(r, a) \ r G 1Z & a G /}. By assuming 

without loss of generality that 1Z is finite (i.e. y-ji is trivially wellfounded), we 
obtain that y is wellfounded. With the help of Theorem [3j it sufficcs to prove that 
each peak S a ^- a S^p Sp (a, /3 G (7Î C UE)) is decreasing w.r.t. >p. We distinguish 
two cases: 

1 The rules r a and rp used to respectively produce S a and Sp apply to différent parts 

of S. By monotonicity of CHR transitions, we infer S a S' S p. We have 

to show this valley respects property (*) within the définition of the decreasing 
diagrams. We proceed by cases on the types of the rules r a and rp: 

1.1 r a is inductive. We have a = S, a -^-» + S a , and Sp -^s p S' . 

1.1.1 rp is inductive. We have /? = S, /3 Sp, and S a A Scv S'. Since V 1 is 
terminating, we infer a >~ S a and (3 y S p. We conclude S a -^s a S 1 <r-Sp Sp, 
i.e. the peak is decreasing w.r.t. y. 
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1.1.2 rp is coinductive. We have (3 S 1Z C , S a ^p S', and j3 >~ S a . We concludc 
S a ^->s Q S' <—p Sp, i.e. the peak is decreasing w.r.t. 

1.2 r a is coinductive. We have a G 1Z C and Sp —ï a S' . 

1.2.1 rp is inductive. The case is symmetric with case 1.1.2. 

1.2.2 rp is coinductive. We have (3 £ 1Z C and S a -^p S' . We conclude S a 

"/3 S/3, 



S" 4^,3 S 1 ^, i.e. the peak is decreasing w.r.t. >p. 



2 The applications of the rules r a and rp used to respectively produce S a and Sp 
overlap. There should exist a critical peak R a S c — >>a Rp, a state R, and a 

set of variables y, such that S* = S c © s -R, S'a = R a © s -R, and Rp = Rp © 2 i?. Wc 
proceed by cases on the types of rules r a and rp: 

2.1 Both rules are inductive: We have j3 = a — S, and by hypothesis we have 

r? _ pO V* ni g* , cm — c> — » /g* E?l /gj pO _ p 
«a = -f< Q r tlct ^ '"^a = " = ' ' ' ^ ^/S ^ -""/3 = 

By monotony of CHR we infer: 

c _ cO t" , q1 7" v cm c — cri ,v* al ,v i cO — c 
D a — O a f J a f ■ ■ ■ O a — O — Op ■ ■ ■ i Op \ Dp — Dp 

where S' l a = R a © s R (for i e 0, . . . m), Sp = Rp ® s R (for i G 0, . . . n), and 
S = S' © R. By construction of (A a ) aE s X R c we get: 

c v \ ci *\ ci c m c c™ j v ci j v c 

D a — >s° à a — '"a"'^ = D = Dp i si àp < — sJJ Dp 

To conclude about the discussion of the decreasingness of the peak, it is just 
necessary to notice that for any i G 0, ... m and any j £ 0, . . . n, both S S a 
and S S j p hold, i.e. Si, S^ G Y{a,/3}. 

2.2 One of the rules is coinductive. By hypothesis we have 

R a -»Y{ri} • ^ïf{r 2 } ' -w 'Y{ri,r 3 } ' <<- Y{ri,r 3 } ' ^"^{ri} ' ^Yfra} #/3 

or equivalently by monotony of CHR: 

S a -»y{ ri } ■ ^ïr{r 2 } ' ~~*Y{ri,r 2 } ' < *~Y{ri,r a } ' ^^{n} ' *~Y{r 2 } S/9 □ 

Theorem [ÏU] strictly subsumes ail the criteria for proving confluence of CHR 
programs we are aware of, namely the local confluence ( Abdennadher et al. 1999 ) 
and the strong confluence ( Haemmerlé and Fages 2007 ) criteria. 

Corollary 11 [Local confluence) 

A terminating program V is confluent if its critical peaks are joinable by — »• «— . 



Corollary 12 (Strong confluence) 

A program V is confluent if its critical peaks are joinable by -^> = - . 

The following examples show that the rule-decreasingness criterion is more pow- 
crful than both local and strong confluence criteria. 
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(x<x,x<y) (x < y, y < z,z < y) 

antiy^ ^\trans. antiy^ ^\trans. 

{x < x) (x<x,x<y,x<x) {x < y,y = z) {x<y,y<z,z<y,x<z) 

P. .-' F. 

nul i. / reflex. du pl. /'ont*. 

{x<y,y<x) {x < y,x < z,y = z) 

Fig. 5. Some rule-decreasing critical peaks for V\ 



Example 13 

Consider the solver V\ for partial order given in Example [T] Since V\ is trivially 
non-terminating one cannot apply local confluence criterion. Strong confluence does 
not apply either, because of some non-strongly joinable critical peaks. For instance, 
considère the peak given at Example [8} 

(x = y) i^-anti. (x < y, y < x) -^t mns . (x < y, y < x, x < x) 

It can be seen that (x = y) may not be reduced, and that the right-hand side cannot 
be rewritten into the left-hand side in less than two steps (e.g. by using reflexivity 
and antisymmetry rules). 

Nonetheless, confluence of V\ can be deduced using the full generality of The- 
orem |10| For this purpose, assume that ail rules except transitivity are inductive 
and take any admissible preorder. Clearly the inductive part of V\ is terminat- 
ing. Indeed the application of any one of the three first rules strictly reduces the 
number of atoms in a state. Then by a systematic analysis of ail critical peaks of 
V\ , we prove that each peak can be closed while respecting the hypothesis of rule- 
decreasingness. In fact ail critical peaks can be closed without using transitivity. 
Some rule-decreasing diagrams involving the transitivity rule are given as examples 
in Figure [5j 

Example 14 

Consider the program V2 implemcnting the dining philosophers problem, as given 
in Example [2] The confluence of Vi cannot be inferred by either local or strong 
confluence. On the one hand, Vi is obviously non-terminating, and hence prevents 
the application of the local confluence criterion. On the other hand, V2 has critical 
peaks which are not in ( — » • « — ). Consider as an example the peak given in 
Figure [6j It is critical for the rule eating with itself, but it is not joinable by 
( — ^-> = - -s-^- = ). However, the figure shows that it is joinable by 

' thk' ^ eat' ^ thk' ^ thk' ^ eat' ^ thk 

i.e. the peak is decreasing. In fact, ail the critical peaks of V2 involve only the rule 
eat and may be closed in a similar manner. Thus, by assuming that the eat rule is 
coinductive and strictly greater than thk, we can infer, using Theorem |10[ that V2 
is confluent. 
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(f{x), f(y), f(z), t[x, y, i),t(y, z,j)) 
eat eat 



(f(z),e{x,y,i+ l),t(y,z,j)) 
thk 

{{(x),f(y),f(z),t(x,y,i + l),t(y,z,j)) 
eat 

{ï(x),t(x,y,i + l),e(y,z,j + 1)) 
thk ... 



(f(x),t(x,y,i),e(y,z,j + 1)) 
thk 

(f(x), %), f(*), t(x, y, i),t(y, z, j + 1)} 
eat 

(f(z), e(x, y, i + 1), t(y, 2, j + 1)) 
'//A- 



(f(i), %), f(z), t(as, », i + l),t(y, z, j + 1)) 
Fig. 6. A rule-decreasing critical peak of V2 



4-4 On program partitioning 

The rule-decreasingness criterion is based on the division of the program into a 
terminating part and a possibly non-terminating one. Since a program can be par- 
titioned in multiple ways, it may be the case that the rule-decreasingness of a 



program dépends on the splitting used (see Example 16). From a purely theoretical 
point of view, this is not a particular drawback, since the property we aim at prov- 
ing (i.e. the confluence of program) is undecidable. From a more pragmatical point 
of view, it appears that the classic examples of CHR programs can be proved to 
be rule-decreasing without any assumption of termination. In particular, we were 
unable to find a counterexample of a confluent but non-strongly rule-decreasing 



program in Frùhwirth s book ( 2009 ) 



Example 15 

Consider the CHR solver for partial order given in Example [I] Assuming that any 
rule is coinductive, V can be shown strongly rule-decreasing with respect the order 
)p satisfying: 

transitivity y duplicate >- antisymmetry >~ reflexivity 

As illustrated by Figure [5] critical peaks involving transitivity rules may be closed 
using only rules that are strictly smaller. Similarly, one can verify that any critical 
peak between a given rule a and a smaller (or equal) one can be closed using only 
rules strictly smaller than a (i.e. ail the peaks are trivialy decreasing). 

The choice of a good partition may simplify proofs of rule-decreasingness: by 
maximizing the inductive part of a program, the number of peaks which must be 
proved decreasing (i.e. the coinductive critical peaks) is reduced. Indeed, while the 
joinability of a peak with respect to the inductive part of program - which must 
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be terminating - is a decidable problem and can be efficiently automatizedj^] the 
rule-decreasingness of a peak with respect to a possibly non-terminating program 
is likely to be undecidable]^] Consequently, a good partition will limit the use of 
heuristics or human interactions necessary to infer a rule-decreasing diagram for 
each coinductive critical peak. 

Since termination is also an undecidable property, we cannot expect to fully 
automatize the search for the optimal partition, and we must content ourselves 
with heuristic procédures. Despite the fact that the formai development of such 
procédures is beyond the scope of this paper, our practical expérience suggests that 
a trivial partitioning may be interesting. This partition consists of considering as 
inductive only those rules that strictly reduce the number of atoms in a state. Even 
if this choice is not necessarily optimal and may even produce bad partitions, it 
does seem to produce relevant partitions for typical CHR solvers, as illustrated by 
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We now give two counterexamples. The first shows that rule-decreasingness can 
be dépendent on particular splittings, while the second présents a confluent program 
which is not rule-decreasing. 

Example 16 

Consider the following CHR rules: 

duplicate @ p(x)\p(x) T s - @ p(s(.x)) p(.x) s + @ p(a;) <^=> p(s(x)) 

We dénote by Vï 6 the program built from the duplicate and s~ rules, and by V^ 6 
the program built from the duplicate and s + rules. 

Vi 6 is clearly terminating: the duplicate rule strictly reduces the number of atoms 
in a state, while s - leaves the number of atoms unchanged, but strictly reduces the 
size of the argument of one of them. We can also verify that Vï 6 has a single critical 
peak. Figure [7] shows the only way this peak may be closed. Thus, by assuming that 
ail rules are inductive, we can infer that the program is rule-decreasing. However if 
s~ is assumed to be coinductive, we can verify that the sole critical peak of Pï 6 is 
decreasing with respect to no admissible order. 

As in the case of T 3 ^;, yields only one critical peak which is decreasing with 
respect to no admissible order (see Figure[8]). However, this time s + is not terminat- 
ing, and so cannot been assumed inductive. Consequently cannot be inferred 



to be confluent using Theorem 10 



5 Modularity of CHR confluence 

In this section, we are concerned with proving the confluence of union of con- 
fluent programs in a modular way (in particular of those programs proved con- 
fluent using the rule-decreasing criterion). In practice, we improve on a resuit of 



3 See the works about CHR local confluence ( Abdennadher et al. 1999 Abdennadher 1997 k 

4 Decreasingness of a peak for a given order seems a more ditncult problem than joinability 
without termination assumption — which is itself undecidable. 
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(p(s(x)),p(s(a:))) 
P 



(p{x),p(x)} 




<P(s(*))> 



(p(s(x)),p(x)) 



(PW> 



(p(b(x)),p(x)} 
=+ 



Fig. 7. Critical peak of PT^ 



<P(s(*))>« (pWi)),p(>(»))> 
Fig. 8. Critical peak of Vï 6 



Frùhwirth (20Q9| ) which states that a terminating union of confluent programs which 



do not overlap (i.e. which do not have a critical peak) is confluent. In particular, 
we allow some overlapping and we drop the termination hypothèses. 

Theorem 17 (Modularity of confluence) 

Let V and Q be two confluent CHR programs. If any critical peak between V and 
Q is joinable by — » ■ < — = , then VQ is confluent. 

Before formally proving the theorem, it is worth noting that, despite the fact that 
modularity of confluence and the rule-decreasing theorem have similar flavors, both 
results have différent scopes. Indeed, on the one hand modularity of confluence does 
not assume anything about the way in which V and Q are confluent. For instance, if 



V and Q are two rule-decreasing programs, Theorem 17 does not require the union 
of the inductive parts of V and Q to be terminating, while Theorem 10 does. This 
is important since, termination is not a modular property: even if two terminating 
programs do not share any user-defined atoms, one cannot be sure that their union 



is terminating. (See Section 5.4 of Frùhwirth s book (2009) for more détails.) On 



the other hand, the rule-decreasing criterion allows the critical peaks to be closed 



in a more complex way than Theorem 17 permits 



The proof of the theore m res ts on the following lemma, which states that under 



the hypothèses of Theorem 17 — > "strongly commutes" with — >. 
Lemma 18 

If critical peaks between V and Q are in — » • then -=») ç (— « 



Proof 

We prove by induction on the length of the dérivation S c S' that for any peak 
S £- S c S', the property S 4 • ^ = S' holds. The base case S c = S' is 
immédiate. For the inductive case S ^ S c A> S" A 5', we know by the induction 
hypothesis that there exists a state R, such that S R = S". From here, 
it is sufiieient to prove that R — » • -s — = S and to use the définition of relation 
composition in order to conclude. We assume that S" R, otherwise R —» ■ 
= S' holds trivially. We distinguish two cases: either the rules involved in the local 
peak R S" S' apply to différent parts of S", or else their applications 



16 



Rémy Haemmerlé 



overlap. In the first case, we use CHR monotonicity to infer R • S". In the 
second case, there must exist a critical peak R" ■ S"", a state R', and a set 
of variables x, such that R" ® s R' = R, S"" © s Rf = S'. Then by the hypothèses 
and CHR monotonicity, we obtain the results that R — » ■ S' . □ 



Proof of Theorem 1 ? 

Let — >\ = — », — »2 = — »• On one hand, by the confluence of V and Q, we have 

►i and 



n — 



(<-! ■ Ç (->•! • and («- 2 ' ->2) Ç (~>2 • <~2)- (Note that 
^>2 = - ^2-) On the other hand, by combining Lemma 18 and case (i) of Lemma|4j 
we infer (<—v —^2) Q (—>2' By a trivial application of Theorem[3j we find that 

~ ^{1,2} ïs confluent. We conclude by noting 5- Ç — Km 2} Q — », and apply case 

(ii) of Lemmaj^J (It is worth noting that — >{i,2} equals neither ^^-> nor — ^».) □ 



6 Conclusion 

By employing the decreasing diagrams technique in CHR, we have established a 
new criterion for CHR confluence that generalizes local and strong confluence cri- 
teria. The crux of this novel criterion rests on the distinction between the termi- 
nating part (the so-called inductive part) and non-terminating part (the so-called 
coinductive part) of a program, together with the labeling of transitions by rules. 
Importantly, we demonstratc that in the particular case of the proposed application 
of the decreasing diagrams, the check on decreasingness can be restricted to the sole 
critical pairs, hence making it possible to automatize the process. We also improvc 
on a resuit about the so-called modularity of confluence, which allows a modular 
combination of rule-decreasing programs, without loss of confluence. 

It is worth saying that ail the diagrammatic proofs sketched in the paper have 
been systematically verified by a prototype of a diagrammatic confluence checker. 
In practice, this checker automatically générâtes ail the critical pairs of a program 
provided with an admissible order, then using user-defined tactics (finit sets of 
réductions) tries to join thèse while respecting rule-decreasingness. 

Current work involves investigating the dcvelopmcnt of heuristics to automati- 
cally infer rule-decreasingness without human interaction. We also plan to develop 
a new completion procédure based on the criterion presented here. Because du- 
plicate removal is an important programming idiom of CHR, the development of 
new confluence-proof techniques capable of dealing with confluent but non-rule- 
decreasing programs, like those given in Example [T6j is also worth investigating. 
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